patched wdm (new API)

patched wdm (new API)

[Tom]

Hi everyone -

I have patched the current wdm version so we have again an SELinux-aware
graphical login available.

Diff file and Debian package for Sid are on my website
(http://selinux.lemuria.org)

I have submitted the patch upstream for inclusion into the wdm tree.


I also would like to congratulate everyone who was involved in creating
the new API. It was much, much easier to patch wdm this time around,
and it required less total and especially less intrusive changes.


Tom

-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patched wdm (new API)

[Peter Simons]

Tom  writes:

 > I have patched the current wdm version so we have again an
 > SELinux-aware graphical login available.

Out of curiosity: wdm requires WindowMaker as well, right? 

Is there any chance these patches could be applied to xdm as well?

Peter

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patched wdm (new API)

[Russell Coker]

On Wed, 8 Oct 2003 11:17, Peter Simons wrote:
>  > I have patched the current wdm version so we have again an
>  > SELinux-aware graphical login available.
>
> Out of curiosity: wdm requires WindowMaker as well, right?
>
> Is there any chance these patches could be applied to xdm as well?

Have you tried the PAM module that Dan wrote?  It should work for xdm as long 
as it's PAM enabled.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patched wdm (new API)

[Tom]

On Wed, Oct 08, 2003 at 03:17:38AM +0200, Peter Simons wrote:
>  > I have patched the current wdm version so we have again an
>  > SELinux-aware graphical login available.
> 
> Out of curiosity: wdm requires WindowMaker as well, right? 

No, it does require some of wmaker's libraries, but not wmaker itself,
and it will happily launch any other window manager, KDE or Gnome.


> Is there any chance these patches could be applied to xdm as well?

Absolutely. The patch is trivial enough and wdm was chosen by me
explicitly because it is much simpler and much closer to xdm then the
other (kdm, gdm) login managers.

Take a look at the patch - most of it is for configure and makefile stuff, 
the actual code change is about a dozen lines.

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patched wdm (new API)

[Stephen Smalley]

On Wed, 2003-10-08 at 01:05, Russell Coker wrote:
> Have you tried the PAM module that Dan wrote?  It should work for xdm as long 
> as it's PAM enabled. 

I don't think you can just use a PAM session module for [xgk]dm; the
pam_open_session call is performed from the wrong process.  But there is
a patched gdm available from Dan's site, under
ftp://people.redhat.com/dwalsh/SELinux, that will obtain and use the
user's default context.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: patched wdm (new API)

[Manoj Srivastava]

[-- Attachment #1: Type: text/plain, Size: 2273 bytes --]

On Thu, 2 Oct 2003 14:59:39 +0200, Tom  <tom@lemuria.org> said: 

> Hi everyone - I have patched the current wdm version so we have
> again an SELinux-aware graphical login available.

> I have submitted the patch upstream for inclusion into the wdm tree.

On 08 Oct 2003 08:30:21 -0400, Stephen Smalley <sds@epoch.ncsc.mil> said: 

> there is a patched gdm available from Dan's site, under
> ftp://people.redhat.com/dwalsh/SELinux, that will obtain and use the
> user's default context.

	Well, I have a nice xdm greeter setup, and I don't run
 Gnome/KDE/Windowmaker,  and I was disinclined to use startx just
 because I wanted to secure my laptop. So I went ahead and patched xdm
 from X 4.3.0 for SELinux.  I have examined the patches for wdm/gdm,
 and this xdm patch provides the same capabilities as the other
 patches do.

        This patch has been tested with and without SELinux support,
 and on SELinux kernels, and vanilla kernels.  This patch is against
 the CVS version of the Debian XFree86 code (significant, since the
 patches applied by Debian increase the fuzz (and may even require the
 patch to be manually applied on vanilla X 4.3.0).

	I am working with Debian's XFree86 maintainer to get this
 patch incorporated into Debian's X packages.

        As implemented, the patch merely provides a capability, which
 has to be explicitly turned on at compile time with -DHasSELinux=YES.
 If one does not compile with -DHasSELinux=YES, the patch is a no-op.
 Since none of the code is compiled in, there is no change in
 behaviour, nor is there any performance hit.

        If you do turn on the SELinux compatibility with -DHasSELinux,
 you would need libselinux at build time.  In other words, the
 mainline X build does not build depend on SELinux; the dependency is
 only invoked if you explicitly pass a parameter to imake. 

        Even when SELinux compatibility is compiled in, on a non
 SELinux kernel it is dead code; there is no change in functionality,
 apart from a single check to see if SELinux is available at each
 login. The SELinux code paths are not exercised on non-SELinux
 kernels.

        The patch is fairly minimal (only 160 lines or so), and it
 should be easy to check that is would not impact anything else.

        manoj


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: SELinux support for xdm --]
[-- Type: text/x-patch, Size: 5669 bytes --]

diff -uBbwr xfree86-4.3.0-0.2003.11.30/xc/config/cf/Imake.tmpl xfree86-4.3.0-0.2003.11.30.sel/xc/config/cf/Imake.tmpl
--- xfree86-4.3.0-0.2003.11.30/xc/config/cf/Imake.tmpl	2003-11-30 22:44:35.000000000 -0600
+++ xfree86-4.3.0-0.2003.11.30.sel/xc/config/cf/Imake.tmpl	2003-12-01 13:26:29.000000000 -0600
@@ -2033,17 +2033,21 @@
  * EXTRA_INCLUDES contains project-specific includes set in project incfiles
  * INCLUDES contains client-specific includes set in Imakefile
  * LOCAL_LDFLAGS contains client-specific ld flags flags set in Imakefile
+ * SELINUX_INCLUDES contains SELinux-specific includes set in the appropriate .cf file
+ * SELINUX_LDFLAGS  contains SELinux-specific ld flags set in the appropriate .cf file
+ * SELINUX_CFLAGS  contains SELinux-specific compiler flags set in the .cf file
+ * SELINUX_LIBS   contains SELinux-specific libraries to link with set in the .cf file
  */
-      ALLINCLUDES = $(INCLUDES) $(EXTRA_INCLUDES) $(TOP_INCLUDES) $(INSTALLED_INCLUDES) $(STD_INCLUDES)
+      ALLINCLUDES = $(INCLUDES) $(EXTRA_INCLUDES) $(TOP_INCLUDES) $(INSTALLED_INCLUDES) $(STD_INCLUDES) $(SELINUX_INCLUDES)
        ALLDEFINES = $(ALLINCLUDES) $(STD_DEFINES) $(PROTO_DEFINES) $(THREADS_DEFINES) $(MODULE_DEFINES) $(DEFINES) $(EXTRA_DEFINES)
-           CFLAGS = $(CDEBUGFLAGS) $(CCOPTIONS) $(THREADS_CFLAGS) $(MODULE_CFLAGS) $(ALLDEFINES)
+           CFLAGS = $(CDEBUGFLAGS) $(CCOPTIONS) $(THREADS_CFLAGS) $(SELINUX_CFLAGS) $(MODULE_CFLAGS) $(ALLDEFINES)
         LINTFLAGS = $(LINTOPTS) -DLINT $(ALLDEFINES) $(DEPEND_DEFINES)
          LDPRELIB = LdPreLib $(INSTALLED_LIBS)
         LDPOSTLIB = LdPostLib
-        LDOPTIONS = $(CDEBUGFLAGS) $(CCOPTIONS)  $(EXTRA_LDOPTIONS) $(THREADS_LDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS)
+        LDOPTIONS = $(CDEBUGFLAGS) $(CCOPTIONS)  $(EXTRA_LDOPTIONS) $(THREADS_LDFLAGS) $(SELINUX_LDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS)
      CXXLDOPTIONS = $(CXXDEBUGFLAGS) $(CXXOPTIONS) $(EXTRA_LDOPTIONS) $(THREADS_CXXLDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS)
 
-           LDLIBS = $(LDPOSTLIBS) $(THREADS_LIBS) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
+           LDLIBS = $(LDPOSTLIBS) $(THREADS_LIBS) $(SELINUX_LIBS) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
 #if HasBrokenCCForLink
            CCLINK = LdCmd
 #else
diff -uBbwr xfree86-4.3.0-0.2003.11.30/xc/config/cf/linux.cf xfree86-4.3.0-0.2003.11.30.sel/xc/config/cf/linux.cf
--- xfree86-4.3.0-0.2003.11.30/xc/config/cf/linux.cf	2003-11-30 22:44:36.000000000 -0600
+++ xfree86-4.3.0-0.2003.11.30.sel/xc/config/cf/linux.cf	2003-12-01 13:28:31.000000000 -0600
@@ -1006,3 +1012,57 @@
 #ifndef XFree86ServerOSDefines
 # define XFree86ServerOSDefines
 #endif
+
+/* 
+ *     SELinux support
+ */
+#ifndef HasSELinux
+# define HasSELinux NO
+#endif
+
+#ifndef SELinuxDefines
+# if HasSELinux
+#  define SELinuxDefines -DHAVE_SELINUX
+# else
+#  define SELinuxDefines /**/
+# endif
+#endif
+
+#ifndef SELinuxIncludeFlags
+# if HasSELinux
+#   define SELinuxIncludeFlags -I/usr/include/selinux
+# else
+#   define SELinuxIncludeFlags /**/
+# endif
+#endif
+
+#ifndef SELinuxCompileFlags
+# define SELinuxCompileFlags /**/
+#endif
+
+#ifndef SELinuxLoadFlags
+# define SELinuxLoadFlags SELinuxCompileFlags
+#endif
+
+#ifndef SELinuxLibraries
+# if HasSELinux
+#  define SELinuxLibraries -lselinux
+# else
+#  define SELinuxLibraries /**/
+# endif
+#endif
+
+#if HasSELinux
+# ifndef SELINUX_LDFLAGS
+   SELINUX_LDFLAGS = SELinuxLoadFlags
+# endif
+# ifndef SELINUX_INCLUDES
+   SELINUX_INCLUDES = SELinuxIncludeFlags
+# endif
+# ifndef SELINUX_CFLAGS
+   SELINUX_CFLAGS = SELinuxCompileFlags SELinuxDefines
+# endif
+# ifndef SELINUX_LIBS
+   SELINUX_LIBS = SELinuxLibraries
+# endif
+#endif
diff -uBbwr xfree86-4.3.0-0.2003.11.30/xc/programs/xdm/session.c xfree86-4.3.0-0.2003.11.30.sel/xc/programs/xdm/session.c
--- xfree86-4.3.0-0.2003.11.30/xc/programs/xdm/session.c	2003-11-30 22:44:35.000000000 -0600
+++ xfree86-4.3.0-0.2003.11.30.sel/xc/programs/xdm/session.c	2003-12-01 03:01:31.000000000 -0600
@@ -60,6 +60,11 @@
 # include <krb5/krb5.h>
 #endif
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif /* HAVE_SELINUX */
+
 #ifndef GREET_USER_STATIC
 # include <dlfcn.h>
 # ifndef RTLD_NOW
@@ -241,6 +246,34 @@
     SessionExit (d, RESERVER_DISPLAY, TRUE);
 }
 
+#ifdef HAVE_SELINUX
+/* This should be run just before we exec the user session */
+static int
+xdm_selinux_setup (const char *login)
+{
+  security_context_t scontext;
+  /* If selinux is not enabled, then we don't do anything */
+  if ( ! is_selinux_enabled ())
+    return TRUE;
+
+  if (get_default_context((char*) login,0, &scontext) < 0) {
+    LogError ("SELinux: unable to obtain default security context for %s.\n",
+	      login);
+    return FALSE;
+  }
+
+  if (setexeccon (scontext) != 0) {
+    freecon (scontext);
+     LogError ("SELinux: unable to set executable context %s.\n",
+	      (char *)scontext);
+    return FALSE;
+  }
+  freecon (scontext);
+  return TRUE;
+}
+#endif /* HAVE_SELINUX */
+
+
 /*
  * We need our own error handlers because we can't be sure what exit code Xlib
  * will use, and our Xlib does exit(1) which matches REMANAGE_DISPLAY, which
@@ -725,6 +758,19 @@
 #endif /* K5AUTH */
 	bzero (passwd, strlen (passwd));
 	SetUserAuthorization (d, verify);
+
+#ifdef HAVE_SELINUX
+	/*
+	 * for Security Enhanced Linux,
+	 * set the default security context for this user.
+	 */
+	if ( ! xdm_selinux_setup (name)) {
+	  LogError ("failed to set Security context\n");
+	  exit (UNMANAGE_DISPLAY);
+	  return (0);
+	}
+#endif /* HAVE_SELINUX */
+
 	home = getEnv (verify->userEnviron, "HOME");
 	if (home)
 	    if (chdir (home) == -1) {

[-- Attachment #3: Type: text/plain, Size: 274 bytes --]


-- 
If you keep anything long enough, you can throw it away.
Manoj Srivastava   <manoj.srivastava@stdc.com>    <srivasta@acm.org> 
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C